White House cybersecurity czar brags about his lack of technical expertise

Michael Daniel is the White House’s cybersecurity coordinator, the man who “leads the interagency development of national cybersecurity strategy and policy” for the president. And in a recent interview with GovInfoSecurity, he argued that his lack of technical expertise gave him an advantage in doing that job.

“You don’t have to be a coder in order to really do well in this position,” Daniel said, when asked if his job required knowledge of the technology behind information security. “In fact, actually, I think being too down in the weeds at the technical level could actually be a little bit of a distraction.”

“You can get taken up and enamored with the very detailed aspects of some of the technical solutions,” he explained, arguing that “the real issue is looking at the broad strategic picture.”

As Princeton computer scientist (and, full disclosure, my former advisor) Ed Felten points out, it’s hard to imagine senior policymakers with responsibility for other technical subjects making this kind of claim. Imagine a White House economic advisor arguing that experience in the weeds of economic research would be a distraction, an attorney general making that claim about time in a courtroom, or a surgeon general bragging about never having set foot in an operating room.

In most parts of government, it’s considered a major asset if senior policymakers have experience in the weeds of the topics they work on. The surgeon general has an MD, as does the head of the Centers for Disease Control and Prevention. The head of the National Institutes of Health has a PhD in chemistry and did groundbreaking research on the human genome. All three members of the Council of Economic Advisors have PhDs in economics, as does the head of the Federal Reserve. The attorney general has a law degree, as do both of his deputies.

In contrast, Daniel has degrees in public policy and spent 17 years at the Office of Management and Budget. He did some policy work on cybersecurity there, but by his own admission has little experience programming computers or securing computer networks from attack.

Daniel says that his most important skill is “being able to analyze and break down really complicated public policy problems and present them in a manner that makes them more amenable to analysis.” That’s obviously an important skill, and it’s one that many computer programmers lack. You wouldn’t want to give Daniel’s job to a random Google coder.

But at the same time, it would be helpful for Daniel to have some experience in the weeds of computer security. Washington is full of defense contractors peddling alarmist stories in order to sell their overpriced cybersecurity “solutions.” To distinguish genuine threats from trumped up ones, it’s hugely valuable to have spent some time in the cybersecurity trenches.

No one would deny that having spent time in a courtroom makes you a better attorney general or that spending time in an operating room makes you a better surgeon general. This kind of experience doesn’t just provide people with deeper knowledge of their subjects, it also connects them to a network of other experts who can help them evaluate and implement policy. People who do cybersecurity policy need the same kind of experience and connections to do their jobs well.

With that said, there’s a reason that presidents so often rely on people without technical expertise when making cybersecurity decisions: there aren’t many people with experience in both computer security and government. The Treasury Department and Federal Reserve are full of trained economists with government experience. The Department of Justice is full of lawyers with both courtroom and policymaking experience. The CDC is full of physicians who understand the policymaking process.

But right now, there isn’t a good career path for young computer scientists to gain the kind of policy experience that would lead to senior government jobs. As a result, presidents are too often forced to choose between people with government experience or computer science experience.

But there are some people with both. The president and other senior policymakers should be trying harder to hire them. And we should be expanding opportunities for younger cybersecurity and IT policy experts to work in government, so presidents a decade or two from now have a deeper bench to choose from.